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Abstract. Size-Change Termination (SCT) is a method of proving program termination 
based on the impossibility of infinite descent. To this end we may use a program abstraction 
in which transitions are described by monotonicity constraints over (abstract) variables. 
Size-change graphs are a subclass where only constraints of the form x > y' and x > y' are 
allowed. Both theory and practice are now more evolved in this restricted framework than 
in the general framework of monotonicity constraints. This paper shows that it is possible 
to adapt and extend some theory from the domain of size-change graphs to the general 
case, thus complementing previous work on monotonicity constraints. In particular, we 
present precise decision procedures for termination; and we provide a procedure to con- 
struct explicit global ranking functions from monotonicity constraints in singly-exponential 
time, which is better than what has been published so far even for size-change graphs. 



1. Introduction 

This paper is concerned with termination analysis. This is a fundamental and much- 
studied problem of software verification, certification and transformation. While being, 
historically, the epitome of undecidability, much progress has been made on automatizing 
termination proofs, so that now we find termination assertions in practical programming 
tools such as JML |24j and proof assistants such as ACL2 [31J and Isabelle [23]. One 
of the contributing factors to the development of automated termination analysis was its 
importance in designing certain meta-programs, e.g., interpreters for Logic Programs |32^I16] 
and partial evaluators [201 [21]. I^i such applications, the danger is that the meta-program 
will diverge, which is unacceptable. In theorem provers, termination proofs are required for 
showing that recursive definitions are sound. 

A subproblem of termination analysis is the construction of global ranking functions. 
Such a function is required to decrease in each step of a program (for "step" read basic block, 
function call, etc, as appropriate); the function witnesses the progress towards termination. 
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An explicitly presented ranking function whose descent is (relatively) easy to verify 
is a useful certificate for termination [22j and may have other uses, such as running-time 
analysis [2]. 

As the general halting problem is undecidable, every method for termination analysis 
consists, in principle, of identifying some subproblem that is decidable. This can be done in 
a more or less structured manner; a very structured approach is to break the termination 
problem for programs into two stages: the first is abstraction of the program, in which 
the concrete program is replaced with an abstract one, essentially a simplified model of the 
original. The second stage is analysis of the abstract program. One benefit of this separation 
is that the abstract programs may be rather independent of the concrete programming 
language. Another one is that the termination problem for the abstract programs may be 
decidable. 

Size-change termination (SCT [26]) is such an approach. It views a program as a 
transition system with states. The abstraction consists in forming a control-flow graph for 
the program, identifying a set of state variables, and forming a finite set of size-change 
graphs that are abstractions of the transitions of the program. In essence, a size-change 
graph is a set of inequalities between variables of the source state and the target state. 
Thus, the SCT abstraction is an example of a transition system defined by constraints of a 
particular type. 

The technique concentrates on well-founded domains, where infinite descent is impos- 
sible. An SCT termination proof is a proof that any (hypothetical) infinite run would 
decrease some value monotonically and endlessly so that well-foundedness is contradicted. 
Since only chains of non- increasing values are of interest, only two types of inequalities were 
admitted into the constraints in [26]: x > y' (old value of x greater than new value of y) 
and X > y'. 

Size-change graphs lend themselves to a very natural generalization: Monotonicity 
Constraints. Here, a transition may be described by any conjunction of order relations, 
including equalities as well as strict and non-strict inqualities, and involving any pair of 
variables from the source state and target state. Thus, it can express a relation among 
source variables, that applies to states in which the transition may be taken; a relation 
among the target variables, which applies to states which the transition may produce; and, 
as in SCT, relations involving a source variable and a target variable, but here equalities 
can be used, as well as relations like x < x', that is, an increase. 

The Monotonicity Constraint Systems treated in this paper will include another con- 
venience, state invariants associated with a point in the control-flow graph. These too are 
conjunctions of order constraints. 

Monotonicity constraint systems generalize the SCT abstraction and are clearly more 
expressive. It may happen that analysis of a program yields monotonicity constraints which 
are not size-change graphs; in such a case, simply approximating the constraints by a size- 
change graph may end up missing the termination proof. For an example, see the next 
section. It is not surprising, perhaps, that Monotonicity Constraints actually predated 
the SCT framework — consider the Prolog termination analyses in |271 113) . But as often 
happens in science, concentrating on a simplifled system that is sufficiently interesting 
was conducive to research, and the formulation of the SCT framework led to a series of 
interesting discoveries. To pick up some of the salient points: 
• The SCT abstraction has a simple semantics, in terms of transition systems. 
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• It has a useful combinatorial representation as a set of graphs, known as the size-change 
graphs. 

• A termination criterion has been formulated in terms of these graphs (the existence of an 
infinite descending thread in every infinite multipath [26j). 

• This criterion is equivalent to the termination of every model (transition system) — in 
logical terms, this condition is sound and complete [261I25J. 

• Termination of a set of size-change graphs can be effectively decided; while having ex- 
ponential worst-case time, the method is often usable. The best-known method is a 
closure-based algorithm [26], which can be theoretically related to termination proofs by 
disjunctively well-founded transition invariants |331I12). More theoretically, the complex- 
ity of the problem has been identifed as PSPACE-complete |26j . 

• It has been established that a global ranking function can also be effectively constructed 
from the size-change graphs. Lee [25] gave the first proof, where the size of the resulting 
ranking expression is up to triply-exponential in the size of the abstract program. This 
left open the challenging problem of improving this upper bound. Progress regarding 
certain special cases is reported in [^. 

Which of the useful results can also be obtained in the stronger framework of mono- 
tonicity constraints? One contribution of this paper is an answer: in essence, all of them. 

A second contribution of this paper is an algorithm to verify termination of a monotonic- 
ity constraint system while constructing a global ranking function, all in singly-exponential 
time. Thus, we solve the open problem from |25j . and, surprisingly, by tackling a super- 
problerqj- The ranking functions generated have a simple form, and are based solely on 
lexicographic descent. Their worst-case size as well as ordinal height match known lower 
bounds. 

Prior Work. The Prolog termination analysers Termilog \n\ [28] and Terminweb [13] can 
both construct monotonicity constraints for a program. The abstraction used in both sys- 
tems also includes instantiation patterns, particular to logic programming, however ignoring 
this aspect, the termination analysis boils down to deciding termination of monotonicity 
constraint systems. 

The implementation of SCT analysis in ACL2 [31] added to the original SCT formu- 
lation a notion of state invariants (in the form of "calling contexts"). This predates our 
inclusion of state invariants in the monotonicity-constraint abstraction. 

Codish, Lagoon and Stuckey [12j were the first to investigate the question of mono- 
tonicity constraints versus size-change graphs. They made the intriguing observation, that 
the termination test used in [271 US [28] is sound and complete for SCT, but incomplete for 
general monotonicity constraints. They also presented a correct test (that is, sound and 
complete) , closely related to the algorithms presented here (see Section 15. 3p . 



Usefulness of monotonicity constraints. Another important point in |12j is how monotonic- 
ity constraints can imply termination for the integer domain, in a way that transcends the 
well-founded model discussed above. For example, monotonicity constraints are sufficient 
for deducing termination of a loop such as while (x<y) x=x+l. The theory presented in this 
paper can, in principle, be adapted to the integer domain. The basic ideas can be found 
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in [12] and [5j. The details are, however, comphcated, and in order to keep this paper lucid 
(and of reasonable length), they are deferred to a future publication. Since this paper is an 
attempt to present a coherent theory for nionotonicity constraints, including several novel 
definitions and results, it will be restricted to the well-founded model, which allows for a 
more elegant theoretical development. It may be true that for proving termination in the 
cases where the well-founded model is natural (programs operating over lists, trees etc.), 
SCT works so well that the extension is practically redundant (at least, I have not seen em- 
pirical evidence to the contrary). Nonetheless, users of SCT in such contexts may benefit 
of the new ranking-function construction, as no singly-exponential worst-case construction 
has been known for SCT; and future application to the integer domain will be facilitated 
by the theoretical foundation. 

The reader is asked to bear, therefore, with the rather abstract presentation in this 
paper, and turn to [26] or other papers on SCT for concrete examples of programs and their 
abstract representation. All examples proved to teminate using size-change graphs will also 
be amenable to the new ranking-function construction. 

Some of the results in this paper have been presented at C AV 2009 [5j . 

How to abstract a program. Let us conclude this discussion by saying something about the 
method of abstracting programs, that is, extracting the monotonicity constraints. Such an 
analysis may be done in a very simple-minded manner in the style of the toy example given 
in [26], but when it is necessary to establish relations between computed values, a stronger 
static analysis will be necessary. Fortunately, such tools exist. A classic example is [TOJ for 
logic programs, which underlies Termilog. The more recent [9] is used in Terminweb, as is 
polyhedral analysis [15] which is an all-times favourite for handling imperative programs [H 

The implementations of SCT analysis in ACL2 [31] and Isabelle |22] rely on a theorem 
prover to derive constraints. 

In the rest of this paper, we concentrate on analysing the abstract programs, and do 
not aim to contribute to the art of abstraction, except indirectly, by drawing attention to 
the possibilities of abstracting a program to a monotonicity constraint system. 

2. Basic definitions and examples 

This section introduces monotonicity constraint systems (MCS) and their semantics, 
and formally relates them to the SCT abstraction. As terminology is not uniform across 
SCT-related publications, some arbitrary choices had to be made. For instance, we shall 
use the term flow point where some references use flow- chart point, program location or 
function, the latter obviously in a functional-programming context. 

Throughout the text, the symbol [> will serve as a meta-variable ranging over relations 
{>,>}■ 

2.1. Monotonicity constraint systems: structure. A monotonicity constraint system 
is an abstract program. An abstract program is, essentially, a set of abstract transitions. 
An abstract transition is a relation on (abstract) program states. 

When describing program transitions, it is customary to mark the variables in the 
resulting state with primes (e.g., x'). For simplicity, we will name the variables xi, . . . ,Xn 
(regardless of what flow point we are referring to). Of course, in practice there is no reason 
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for the number of variables to be the same throughout the program, but this does not affect 
the theory in any essential way. 

Definition 2.1. A monotonicity constraint system, or MCS, is an abstract program repre- 
sentation that consists of a control- flow graph (CFG), monotonicity constraints and state 
invariants, all defined below. 

• A control-flow graph is a directed graph (allowing parallel arcs) over the set F of flow 
points. 

• A monotonicity constraint (MC) is a conjunction of order constraints x[> y where a;, y € 
|xi, . . . , Xn, a^i) • • • ) ^ni- 

• Every CFG arc / — t- g is associated with a monotonicity constraint G. We write G : f ^ g. 

• For each f G F, there is an invariant If, which is a conjunction of order constraints 
among the variables {xi, . . . , x„}. 

In writing order constraints, we will also use <, < as a syntactic sugar {x < y is y > x), 
and X = y to mean x > y Ay > x. 

The terms "abstract program", "constraint system" and "MCS instance" are used in- 
terchangeably, when context permits. The letters A, B are usually used to denote such a 
program; F-^, F^ denote their respective flow-point sets. 

We next show how an MC is represented by a labeled digraph (directed graph); the 
notation x —^ y represents an arc from x to y with label r. 

Definition 2.2 (constraints as graphs). The graph representation of a monotonicity con- 
straint is a labeled digraph (V, E) with V = {xi, . . . , x„, x'j^, . . . , x^} and E includes a labeled 

arc for each constraint: specifically, for a constraint x\> y, an arc x — > y. 

The labeled arcs are referred to, verbally, as strict (for >) and non-strict (>). 

Note that arcs may connect two source variables, two target variables or a source and 
a target variable — in any direction. The notation x ^ y may be used to represent an arc 
from X to y (of unspecified label). In diagrams, to avoid clutter, we distinguish the types 
of arcs by using a dashed arrow for the weak inequalities or equalities (see Figure [T]) . 

An equality constraint x = y is represented by a pair of non-strict arcs. In certain 
algorithms, it is convenient to assume that the such arcs are distinguished from "ordinary" 
non-strict arcs. We refer to them as no- change arcs. 

Henceforth, we identify a MC with its graph representation: it is a graph and a logical 
conjunction of constraints at the same time. Context will usually clarify what view is taken,. 

Example 2.3. Consider the following (contrived) program fragment: 
while (x,y,z > 0) 
if (y>x) 

y = z ; X = unknown ( ) ; z = x- 1 
else 

z = z-1; X = unknownO ; y=x-l 
The program computes over non-negative integers, which justifies the well-founded 
model. For representing this program as an MCS in an economic way, we transform each 
basic block (namely each branch of the if) into an MC. The CFG thus consists of a single 
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Figure 1: MCS example. The CFG (not shown) consists of a single flow-point and two self- 
loops. In the MC graphs, the left-hand side is the source. Broken arcs represent 
non-strict descent. 

flow-point, representing the top of the loop, with two self-loops, Gi and G2: 

Gi : X < y A z = y' A x' > z' 

G2 ■■ X > y A z > z' A x' > y' 
Figure [1] shows the graph representation of this MCS. D 

One may wonder why only conjunctions are allowed. In fact, any Boolean combination 
of constraints can be put into disjunctive normal form, and then split into several MCs, one 
for each disjunct. Of course, there are combinations (e.g., in conjunctive normal form) that 
will be blown up exponentially. Apparently, this has not a problem in applications of SCT 
so far. 

Another natural question is why state invariants are included in the definition, as it is 
possible to include the constraints // in every MC that transitions from /, making the state 
invariant redundant. However, it may be convenient (and is very much so in the algorithms 
of Sections [SHS]) to make the association of certain constraints with a flow point, rather 
than a specific tansition, explicit. Note also that static analysis algorithms (e.g., inverval 
analysis [15]) often associate invariants with locations in the program, taking into account 
all transitions that lead to a given location. 

The size-change graphs of [26j are a simple class of monotonicity constraints: 

Definition 2.4 (size-change graph). A size-change graph (SCO) is a monotonicity con- 
straint consisting only of relations of the forms Xi l> x'-. As a graph, it is bipartite and 
includes only arcs from source variables to target variables. 

An SCT instance is a MCS where all constraints are size-change graphs and all invari- 
ants are trivial. 



2.2. Semantics and termination. Recall that a well-order is a total order with no infinite 
strictly-descending chains, in other words, a well-founded total order. The semantics of 
the abstract program assumes a well-ordered set Val as the domain for variables' values. 
The non-strict order relation on Val is > and its strict part is denoted by > (that is, 
X > y <;=^ X > y A X ^ y). 

While it seems that most applications of SCT use total orders (e.g., comparing data 
objects by their size), there are exceptions (notably in conjunction with term rewriting 
systems). In fact, all notions and results in this paper work equally well with partial orders. 
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and even partial quasi-orders (where > is not antisymmetric), except for the global ranking 
functions, which presume a total order. For uniformity, I chose to make total order the 
basic assumption. 

Definition 2.5 (states). Let A be an n-variable MCS. A state of A (or an abstract state) 
is a pair (/, a), where / G F and o" : {1, . . . , n} ^ Val represents an assignment of values 
to the variables. 

Satisfaction of a predicate e with free variables xi, . . . ,x„ (for example, xi > X2) by 
an assignment a is defined in the natural way, and expressed by a ^ e. If e is a predicate 
involving the 2n variables xi, . . . , x„, x']^, . . . , x^, we write a, a' \= e when e is satisfied by 
setting the unprimed variables according to a and the primed ones according to a'. 

Definition 2.6 (transitions). A transition is a pair of states, a source state s and a target 

state s' . For G : f ^ g G A, we write (/, a) (-)■ {g, a') if a |= //, a' \= Ig and a, a' \= G. We 
say that transition (/, a) 1— )■ {g, a') is described by G. 

G is called unsatisfiable if it describes no transition. 

The transition system associated with A is the relation T4 defined by 

(s, s') £ T4 <^=^ s i-> s' for some G G A. 

Practically, the transition system would be an abstraction of the transitions of a concrete 
program. The variables of flow points might represent actual data in the program, but quite 
often they are already an abstraction, like the size of a concrete object (this is, in fact, the 
source for the name of the SCT method). 

Definition 2.7 (run). A run of Ta is a (finite or infinite) sequence of states s = so, si, S2 ■ ■ ■ 
such that for all i, (sj, Sj+i) G 734- 

Note that by the definition of Ta, a run is associated with a sequence of CFG arcs 

labeled by Gi, G2, . . . where Sj_i t-4 Sj. This sequence constitutes a walk in the CFG (recall 
that a walk is a directed path where repeated nodes and arcs are allowed). 

Definition 2.8 (termination). Transition system Ta is uniformly terminating if it has no 
infinite run. 

MCS A is said to be terminating if Ta is uniformly terminating for any choice of Val. 

Definition 2.9 (h). Let P{s,s') be any predicate over states s,s', possibly written using 
variable names, e.g., xi > X2 A X2 < Xg. We write G \- P if Vs, s' : s 1— )■ s' => P{s, s'). 

Definition 2.10. A global ranking function for a transition system T with state space St 
is a function p : St ^ W, where VF is a well-founded set, such that p{s) > p{s') for every 
{s,s')eT. 

A ranking function for a MCS ^ is a ranking function for T4. Namely, it satisfies 
G \- p{s) > p{s') for every G e A. 

The qualifier global may be omitted in the sequel, since this paper does not deal with 
the notion of local ranking functions. 
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x[0, 1] a;[l,l] ^2;[2, 1] x[3,l] 



a;[0,2] x[l,2]| x[2,2] x[3,2]| 

A 
I 

x[0,3] x[l,3] j;[2,3] x[3,3] 

Figure 2: A multipath. 



Example \2.S\ (continued). The MCS shown on Page 6 is terminating. To see this, note first 

that the set of constraints s i-4 s' A s' i-4 s" is unsatisfiable (the reader is invited to verify 
this by writing the constraints down, or by inspecting the graphs). Thus, a G2-transition 
will never be followed by a Gi; in other words, a valid run can switch from Gi to G2 but 
cannot switch back. In G2, variable z decreases; it also decreases in Gi, if followed by Gi 
again (the reader is, again, invited to verify this). 

We conclude that the following function descends (lexicographically) in every possible 
transition, and constitutes a ranking function for this program: 

(l,z) ify>x 
(0,z) ify<x. 

Note that the MCs are not size-change graphs. Their best approximations as size-change 
graphs are G^^ = {z > y'} and G'^^ = {z > z'}, which do not prove termination. In fact, 
the issue of unsatisfiable combinations of constraints (as for G2 followed by Gi) never arises 
with SCT instances; this is one of the salient differences between the MC abstraction and 
the SCT one. 



p(x,y,z) 



3. MuLTiPATHS, Walks and Termination 

The purpose of this section is to formulate the combinatorial termination condition for 
monotonicity constraint systems, that is, the property that MC graphs should satisfy so that 
termination of any associated transition system can be deduced. This approach was very 
useful in the study of the SCT abstraction, and we would like to define the corresponding 
notions for MCS so that for the special case of SCT, they match the known results. 

The size-change termination principle [26] states that a program is known to terminate 
if "in every (hypothetic) infinite run, something descends infinitely". In order to analyse 
such an infinite run, we analyse sequences of size-change graphs (and more generally, MC 
graphs) that describe such runs. For this purpose, we introduce the concept of a multipath 
(following [26]). 



3.1. The Criterion for Monotonicity Constraint Systems. 



Gi 



Go 



Definition 3.1 (multipath). Let A be an n-variable MCS, and let /o — ^ /i — ^ /2 . . . be an 
MC-labeled path in the CFG. The multipath M that corresponds to this path is a (finite or 
infinite) graph with nodes x[t,i], where t ranges from up to the length of the path, and 
< i < n. Its arcs are obtained by merging the following sets: for all t > 1, M includes the 
arcs of Gt, with source variable Xi renamed to x[t — l,i] and target variable x'- renamed to 
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a;[t,j]. In addition, for all t >0, arcs representing the invariant If^ are included (with node 
x[t,i] representing Xi). 

The multipath may be written concisely as G1G2 ■■■'■, if Mi,M2 are finite multipaths, 
Ml corresponding to a CFG path that ends where M2 begins, we denote by M1M2 the 
result of concatenating them in the obvious way. 

Figure [2] depicts multipath G1G2G1, based on the MCs from Figured! 

Clearly, a multipath represents a conjunction of constraints on a set of variables asso- 
ciated with its nodes. We can consider assignments a to these variables, where the value 
assigned to x[t, i] may be denoted a[t, i]; such an assignment may satisfy the constraints, or 
not. A satisfying assignment defines a concrete run of 7^, along the given CFG path. 

If we start at any node in a multipath, and walk along arcs, we are tracing a descending 
chain of values. This way, walks in the multipath may be used to prove when infinite 
multipaths are unsatisfiable. 

Definition 3.2. A walk that includes a strict arc is said to be descending. A walk that 
includes infinitely many strict arcs is infinitely descending. 

Definition 3.3 (termination criterion). An MCS A is size-change terminating if every 
infinite ^-multipath has an infinitely descending walk. 

Note that the walk above may actually be a cycle! In this case it is contained in a finite 
section of the multipath, and, logically, it implies the condition x > x for some variable 
X. Thus, such a multipath is unsatisfiable and corresponds to no concrete run. If the walk 
is not a cycle, it indicates an infinite descending chain of values and this contradicts well- 
foundedness. Once again, we conclude that the multipath is unsatisfiable. We conclude 
that if A is size-change terminating, it can have no infinite runs. 

Lemma 3.4. // MCS A is size-change terminating, it is (semantically) terminating. 

Proof. Suppose that A is size-change terminating. For any (hypothetical) infinite run s of 
T4 there is an underlying infinite path in the CFG, which induces a multipath M; the values 
assigned to variables in s should satisfy all constraints expressed by M, which is impossible 
because of the infinitely descending walk. 

D 

Thus, size-change termination is a sound criterion for termination. 

To show completeness, we suppose that an infinite multipath without infinite descent 
exist, and show the existence of a domain Val over which this infinite multipath is satisfiable. 
This is achieved using the following definition and lemma. 

Definition 3.5. Let S be any set. A binary relation >- on S" is a strict order if it is 
transitive and irrefiexive. A binary relation ^ is a non-strict quasi-order if it is transitive 
and refiexive; if it is also antisymmetric, it becomes a (partial) order — the word partial 
tacitly applies to all the above. 

Let ;^ be a strict order and ^ a non-strict quasi-order. The relations are compatible if 

ayb => ahb (3.1) 

aybAb^c =^ aye (3.2) 

a^bAbyc =^ ay c (3.3) 
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It seems to be "folklore" that a well-founded partial order can be extended to a well- 
founded total order (given the axiom of choice or some similar machinery). The next lemma 
makes a slightly stronger statement (involving a quasi-order and a compatible strict order), 
and is given with prooo 

Lemma 3.6. Let S be any set, >z ol quasi partial order on S, and >- a compatible well- 
founded strict order. There is a well-ordered set B (with order > and strict >) and a 
mapping h : S ^ B that agrees with the order relations, that is: 

X h y ^ h{x) > h{y) 
X >- y ^ h{x) > h{y) 

Proof. Let X = V{S) — 0. For each x E X, let M^ be the set of minimal elements of x 
under >-. This is always non-empty. For x G X and a G x, let U^ = {6 G x | fe ^ a}; note 
that if a € M^ then U^ C M^ and a G U^ , so U^ is not empty. 

Using the Axiom of Choice, let / be a choice function with /(x) G M^ for all x. 
Define, by transfinite induction over the class of all ordinals, the partial function with 
range V{S) \ {0}: 

5'(/3) = Uj^^y where y = S - [J g{-f), 

7</3 

unless y = or 5^(7) is undefined for some 7 < /3. 

Define, by the ZF axiom of replacement, B = {f3 \ 3x (z S : g{l3) = x}. Since i? is a 
set of ordinals, it cannot contain all ordinals (by the Burali-Forti paradox), thus there is 
an ordinal a not in B. Identifying an ordinal with the set of smaller ordinals, {a -\- 1) \B 
is a non-empty set of ordinals. Since the ordinals are well ordered, there is a least ordinal 
/3 € (q + 1) \ i?; in fact it is the least ordinal not in B. Therefore g{/3) is undefined. It 
cannot be that the second "unless" clause in the definition holds (since /3 is the least such 
ordinal), so it must be that S — IJ^^s 5(7) ~ ^^ ^^^ therefore for every a € S there is some 
7 < /3 such that a G 5(7)- In fact, by the definition of B, such 7 is unique, so letting 
h{a) = 7 defines a total function h : S —^ B. 

We claim that h agrees with the order relations. To see this, let a,b € S. By the 
definition of h, 

aeg{h{a))QMyCy = S- |J g{^). 

^<h{a) 

Suppose that a y b. If h{a) < h{b), then also 6 G y, so a is not minimal in y and is 
not in My, a contradiction. Thus, h(a) > h{b), so > agrees with y. Next, suppose that 
a ^ 6; if 6 G y, then (by the definitions of My and UH, ^), we have b G UH, ^ = g{h{a)); so 
h{b) = h[a). lib ^ y, then h{b) < h{a). Either way, > is seen to agree with ^. □ 

Lemma 3.7. MCS A is terminating only if it is size-change terminating. 

Proof. Suppose that A is not size-change terminating. Hence, an infinite multipath M can 
be formed, without infinite descent. Let S be the set of nodes of M, identified by the usual 
notation x[t,i]. Our aim is to show that there is a model for M, that is, M is satisfiable. 



The proof is inspired by a proof of the well-ordering theorem in 
'http : / /planetmath . org/encyclopedia/Proof Of ZermelosWellDrderingTheorem ■ html | (dated 2007-03- 
12). 
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We first define order relations on S. Specifically, define the relation ^ on S by: x[t, i] ^ 
x[s,j] if and only if M includes a walk from x[t,i] to x[s,j]. Define the relation ;^ on S* by: 
x[t,i] > x[s,j] if and only if M includes a descending walk from x[t,i] to x[s,j]. 

It is easy to verify that {S, ^, y) satisfy the assumptions of the last lemma. We choose 
Val to be the well-ordered set B from the conclusion of the lemma, and a to be the mapping 
h; then a is an assignment that satisfies M. □ 

Combining Lemmas 13.41 and 13.71 we have 

Theorem 3.8. MCS A is terminating if and only if it is size- change terminating. 

3.2. The SCT criterion. The SCT condition [26] is similar to the MCs termination con- 
dition (Definition 13. 3|) . but only concerns walks that proceed forward in the multipath. 
Obviously, with SCT graphs, there are no other walks anyway. 

Definition 3.9. In a multipath, a thread is a walk that only includes arcs in a forward 
direction {xi — > x'-). We say that MCS A satisfies SCT if every infinite ^-multipath has 
an infinitely descending thread. 

Note that for a general MCS, there is a difference between being size-change terminating 
and "satisfying SCT." The latter refers to the criterion defined above. 

Example 12.31 shows that the SCT condition, while clearly a sufficient condition for 
termination, is not a necessary one when general monotonicity constraints are considered. 

4. Deciding Termination: the Closure Algorithm 

We will show in this section an algorithm to decide MCS termination. This algorithm 
is very similar to algorithms used in previous works such as |34 1 I27 1 [T7] which, however, are 
not complete (see Section IT5]) . 



4.1. Consequence-closure and composition. 

Definition 4.1. A monotonicity constraint G is closed under logical consequence (or just 
closed) if, whenever G h x > y, iov x,y G {xi, . . . , Xn, x[, . . . , x^}, this constraint is explic- 
itly included in G; and ii G \- x > y, but not x > y, then x > y is included in G. 

Note that for G : f —i' g, the condition G \- P takes the invariants // and Ig into 
account (consider Definitions 12.61 and 12. 9p . Thus, a closed MC subsumes the invariants in 
its source and target states. 

Definition 4.2. An MC H is at least as strong as G if whenever G \- P, also H \- P. The 
(consequence) closure of a monotonicity constraint G, denoted G, is the weakest MC that 
is at least as strong as G and is consequence-closed. 

Practically, calculating the closure means inserting into G all the relations that can be 
deduced from G. This is easy given the graph representation of the MC, as described next. 

Definition 4.3. The weighted- graph representation of an MC G : f ^>- g consists of the 
same nodes as G, and an arc x — >■ y for every relation x\> y included in G, If or /Jj. Each 
non-strict arc is given a weight of and each strict arc, a weight of —1. 



Parallel arcs can be eliminated, preferring > to >. 
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Lemma 4.4. Let C^^t ^g ^/^g weighted- graph representation of MC G. Then G is unsatis- 
fiable if and only if a negative-weight cycle exists in C^^t _ Assuming that G is satisfiahle, 
G includes an arc x ^ y if and only if a path from x to y exists in G"'^*; this arc is strict 
if there is a path of negative weight. 

We omit the straight-forward justification of this lemma. It implies that a standard 
All-Pairs Lightest-Path (weighted shortest-path) algorithm, such as the Floyd-Warshall 
algorithm [H], can be used to find if G is satisfiable, and compute G if it is, in polynomial 
time — specifically, 0{n^). 

Remark: this is not best possible, asymptotically, but is a simple solution. Different 
improvements may be tried, but whether they are of practical value cannot be judged on 
a theoretical level, and would only make sense if the graphs are large. For example, one 
may divide the running time by a constant, dependent on the machine word length, using 
a bit-level representation. For sparse graphs with a <^ n arcs, one may opt for an 0{na) 
solution based on repeated DFS search (details are left to the reader). 

Definition 4.5 (composition). The composition of MC Gi '■ f ^ g with G2 '■ g ^ h, written 
Gi; G2, is a MC with source / and target h, which includes all the constraints among s, s' 

implied by 3s" : s i-4 s" A s" 1—? s'. 

Composition, too, can be implemented efficiently by a lightest-path algorithm applied 
to the multipath G1G2. As already noted, the procedure also determines whether the 
multipath is satisfiable (note that, as Example 12.31 demonstrates, two satisfiable MCs may 
form an unsatisfiable multipath). 

The same graph procedure can be applied to any finite multipath M = Gi . . .Gi. It 
computes M = Gi; ■ ■ ■ ; Gi, which we call the collapse of M (if £ = 1, it is the consequence- 
closure of Gi). Thus, M includes an arc Xi — >• x' if and only if M includes a path from 
node x[0, i] to node x[^,j]; and similarly for the other combinations (xj —?■ Xj, x[ — > x'- and 
x'^ — >■ Xj). The arc is strict if and only if the path includes a strict arc. This gives us the 
following observation 

Observation 4.6. Consider an infinite ^-multipath M, represented as the concatenation 
of finite segments M1M2 . . . , and let M' = (Mi)(M2) ... If M' has an infinite descending 
walk, so does M. 

Definition 4.7 (closure set). Given an MCS A, its closure set A* is 

{M I M is a satisfiable .4- multipath}. 

The set A* is finite, since there are finitely many possible MCs. 

4.2. A termination test. 

Definition 4.8 (cyclic multipath). We say that a multipath M (possibly a single MC) is 
cyclic if its source and target flow-points are equal. This is equivalent to stating that MM 
is a valid multipath. 

Definition 4.9 (circular variant). For an MC G, the circular variant G° of G is a directed 
graph obtained by adding, for every parameter Xj, an edge Xj o x^. This edge is treated 
as a pair of no-change arcs, but is distinguished from any arcs already present in G. These 
additional edges are called shortcut edges. 
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This definition is meant to be used with a cychc MC. The shortcut edges are used to 
analyze the effect of juxtaposing multiple copies of G (as in the multipath GG). This will 
be clearer in the proof of Theorem 14.121 

Definition 4.10 (types of cycles). Let G be a cyclic MC. A cycle in G° is a path commencing 
and ending at the same node. It is a forward cycle if it traverses shortcut edges more often 
in the backward direction (from x[ to Xi) than it does in the forward directiorij. 

A balanced cycle is a cycle that traverses shortcut edges equally often in both directions. 

A cycle is descending if it includes a strict arc. 

Definition 4.11 (Local Termination Test). We say that G passes the Local Termination 

Test, or LTT, if G has a descending cycle, either forward or a balanced. 

> 
See FigureEl Parts (a)-(c), for an example of a forward descending cycle. If arc x'^ — > x'l 
> 
were replaced with x'^ — > X2, a balanced cycle would ensue. 

Using the graph representation, the Local Termination Test in not hard to implement; 

let us sketch the algorithm, leaving the proof and fine details to the interested reader. First, 

we note that one can test one strongly connected component (SCC) of G° at a time, and only 

if it includes a strict arc. Secondly, we claim that if there is any forward cycle in the SCC, 

then it contains a forward descending cycle. This case can be identified by assigning weights 

to arcs and looking for a negative-weight cycle using, say, the Bellman-Ford shortest-path 

algorithm [l3]; this takes 0{na) time if the graph has n nodes and a arcqj. If no cycle of 

this kind exists, there can only be a balanced descending cycle, which would constitute a 

zero-weight cycle; having computed the single-source shortest-path distances, such cycles 

can easily be found since they are cycles in the shortest-path graph. 

Theorem 4.12. MCS A is size- change terminating if and only if every cyclic MC in A* 
passes the Local Termination Test. 

Proof. For the forward implication (the "if"), suppose that every cyclic MC in A* passes 
the Local Termination Test. Consider an infinite ^-multipath M = G1G2 ■ ■ ■ and assume, 
by way of contradiction, that it is satisfiable. 

Consider the set of positive integers, and label each pair (t, t') , where t < t', by 



G — Gt; Gt+i; ■ ■ ■ Gt'-i 

which must be in A*, since this multipath is satisfiable. Thus every pair has a label, and 
the set of labels is finite. By Ramsey's theorem (in its infinite version), there is an infinite 
set of positive integers, /, such that all pairs {t,t') with t,t' (^ I carry the same label Gj. 

Thus for any t,t' & I with t < t', Gt] Gt+i; ■ ■ ■ Gf-i = Gj. By Observation 14.61 it now 
suffices to show that multipath (Gj)^ (infinite sequence of G/'s) has an infinite descending 
walk. 

Let vi,ei,V2,e2, ■ ■ ■ ,es-i,Vs be the nodes and arcs (alternatingly) of the descending 
cycle in G/, where each Vj is either Xj. or x'^. for some index ij. We can map the cycle onto 
a walk in (G/)^, as follows. The first node is a;[s,zi]. If the arc ei is an ordinary arc of G, 
the walk follows this arc to x[s + 1,^2], a^['S,i2] or x[s — 1,22] (depending on the direction 
of the arc). If ei is a shortcut arc, the walk is not extended: V2 is also mapped to x[s,ii] 



this naming may seem strange, but will will later see that such a cycle is "unwound" into a forward-going 
walk in the multipath G"^. 

A better result, at least theoretically, is 0{an^'^) for n nodes and a arcs, due to Goldberg [19) . 
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Figure 3: (a) An MC G, (b) its circular variant G°; (c) the directions of shortcut edges are 
set to form a forward descending cycle, (d) a walk in a prefix of C^, corresponding 
to the cycle. The notation x* is a shorthand for x[t, i]. (Example after Codish, 
Lagoon and Stuckey) 



(necessarily 12 = ii)- We proceed in this manner until we complete the cycle and return to 
vi. At this point, our walk will have reached a node x[s', ii] for some s' . The relation among 
the forward and backward crossings of shortcut edges implies that s' > s; specifically s' = s 
in the "balanced" case, and s' > s in the "forward" case (hence the name). In the former 
case, we have discovered a descending cycle in {Gi)^ which indicates unsatisfiability. In the 
latter, we have a walk from x[s, ii] to x\s + d, ii\ for some positive d; another such walk can 
be added to reach x[s + 2(i, ii], and so on; we conclude that an infinitely-descending walk 
occurs in (Gj)'^. This establishes the forward implication (see Figure [3]). 

For the converse implication, suppose that MCS A is size-change terminating, and let 
G be a cyclic MC in A*. Consider the multipath C^. Note that G = M for some finite, 
satisfiable ^-multipath M. Let i be the length of M. Consider the infinite ^-multipath M'^, 
obtained by concatenating infinitely many copies of M, to which we shall refer as blocks. By 
assumption, M^ has an infinite descending walk. If this walk is a cycle, contained entirely 
within one of the blocks, then M is unsatisfiable, and M will not appear in A*. Thus, the 
walk must cross block boundaries. Let us concentrate on the variables x[t,i] occurring on 
these boundaries. Since the walk is infinitely descending, some index i has to occur twice 
on the walk, say at nodes x[t£, i] and x[t'i,i] where t < t', and there has to be a strict arc 
between these two pointqj. There is thus a descending walk from x[ti,i] to x[t'£,i]. Such a 
walk can be transformed into a cycle C in G° in the following way: starting with x[ti,i], 
pick the first segment S of the walk (at least a single arc) that ends up again on a block 
boundary. If S ends up in x[t + i,j] include in C the G arc Xj -^ x' followed by a backward 
shortcut arc to Xj. If S ends up in x[t,j] for some j ^ i then G includes either an arc 



These considerations apply equally to walks that are cycles and to "open" walks. 
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Xi -^ Xj or an arc x'^ — t- a;'-. In the former case, include Xi -^ Xj in C; in the latter, include 
the path Xj — )• x'^ — )• x'- — ?• Xj where the first and last arcs are shortcuts. Finally, if S ends 
up in x[t — i,j], include in C the path Xj — )• x^ — )• Xj where the first arc is a (backward) 
shortcut. This process continues until we get to x[t'i,i] in the original walk, whereupon C 
will end at Xj, becoming a cycle. The inequality t' > t implies that the number of backward 
shortcuts in C will not exceed the number of forward shortcuts. 

We conclude that a descending cycle, either balanced or forward, exists in G°. □ 

Algorithm 4.13. (Deciding termination of an MCS A) 

(1) Build A* by a transitive closure procedure: 

(a) Initialize a set S to {G | G S ^ is satisfiable}. 

(b) For any G : f ^ g and H : g ^^ h in S, include also G; H in S, unless it is 
unsatisfiable. 

(c) Repeat the above step is until no more elements can be added to S. 
At this point, S is A* (we omit a detailed proof). 

(2) For each cyclic G in S, apply the Local Termination Test to G. Pronounce failure 
(non-termination) if a graph that fails the test is found. 

(3) If the previous step has completed, the MCS terminates. 

4.3. Complexity of Algorithm 14.131 The determining factor in the worst-case complex- 
ity of the algorithm is the number of elements in A* . An easy upper bound on the nuinber 
of possible MCs, ignoring the identity of the source and target flow-points, is 6^" , as each 
MC has 2n variables and six possible relations among any pair of them {x < y, x > y, 
x>y,x<y,x = yoic none). Thus, the size of the closure set is at most ?ri^6^" , where m 
is the number of flow-points. 

As long as the algorithm does not fail, any pair of elements that can be composed (i.e., 
MCs associated with CFG arcs / -> ff and g — )■ /i, for any /, g, h) has to be considered 
(Step 1.2). To each such pair, we apply composition, and if the result is cyclic, the local 
termination test. Thus we obtain an upper bound of 

0(m3(62"')2n3) = ©(m^e^^'n^) . 

This is an over-estimate, however a significantly better bound (i.e., with o{in?) exponent) 
is not known for this algorithm. Note that the next section provides algorithms of better 
worst-case bounds: specifically, reducing the exponent from G(n^) to 0(nlogn). 

We remark that the management of data structures is, in this case, not costly, since all 
we need is to maintain a set of MCs so that one can efficiently add an element while testing 
to see if it was not already there. This can be done, for instance, by a radix tree [T^, where 
each operaton takes linear time in the number of bits that describe an MC (that is, 0(n^)). 

Despite the exponential time and space complexity, a similar algorithm for SCT has 
proved quite useful in practice; and there are techniques to improve its performance, that 
are also applicable here. Let us briefly discuss these (admitting that the ultimate test of 
such techniques is empirical). 

An important technique is reducing the size of the set S by subsumption [71|T8]. An MC 
G is said to subsume i? if G is less constrained than H. That is, every transition described 
by H is also described by G. With consequence-closed graphs, testing subsumption is easy. 
And in this case, one can safely ignore H. There is a cost involved in flnding out whether 
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subsumption occurs, whenever an element is to be added to S. But the reduction in the 
size of S seems to make this worthwhile. 

Another sort of optimization appears in [171I26J : instead of applying the LTT to every 
element of A*, it suffices to do so for the idempotent ones (elements G such that G;G = G). 
This strategy does not reduce the size of the closure set maintained, only the number of local 
tests. In SCT, it also reduces the complexity of the local test: as shown in [26], it suffices 

to look for in-situ descent, that is, an arc of the form Xi — > x[ (which yields a forward 
descending cycle of length 2). This is not the case for general monotonicity constraints; for 
a little example, note that the MC in Figure [3] is idempotent, but does not include in-situ 
descent. 

A warning is in order: if the set S is reduced by subsumption, it is incorrect to test just 
the idempotent graphs. That is, there are non-terminating instances where an idempotent 
counter-example will not be found, as subsumption will have removed illJ. Thus one has 
to choose between applying subsumption or testing only idempotent graphs, and it seems 
clear that the former option has much greater impact. 

4.4. Complexity of the decision problem. What is the complexity class of the decision 
problem: MCS Termination! Algorithm 14.131 takes exponential time and space, but a 
polynomial-space version is possible. It is most likely worst in practice, but for theoretical 
completeness, let us prove 

Theorem 4.14. The MCS Termination problem is P SPACE- complete. 

Proof. It is known [26] that the SCT Termination problem is PSPACE-hard, which also 
applies to MCS because SCT is a special case. To show that the problem is in PSPACE, we 
will outline a non-deterministic polynomial-space algorithm for the complement problem, 
that is, non-termination. The result will follow since (by Savitch's theorem) coNPSPACE = 
NPSPACE = PSPACE. 

Algorithm 14.131 can be seen as a search for a counter-example — a cycle in the CFG 
that induces a multipath that fails the test. The non-deterministic algorithm guesses such 
a cycle. In each step, it adds a transition to the cycle while computing the composition 
of the next MC with a graph that represents the collapse of the multipath traversed so 
far. Only this graph, along with the current flow-point, have to be maintained in memory. 
Whenever the current flow-point is the same as the initial one, the local termination test 
is applied. If at some point, an unsatisfiable MC results, the algorithm has failed to find a 
counter-example. Otherwise it continues until finding one. D 



Remark. Since both the MCS termination problem and SCT termination are PSPACE- 
complete, a polynomial-time reduction of the former to the latter is known to exist. How- 
ever, it is not given explicitly, and it is not clear whether such a reduction can be imple- 
mented efficiently enough to be actually useful. On the other hand, the next section will 
show a reduction in exponential time, that, paradoxically, may be useful (in fact, the reduc- 
tion produces an easy instance of SCT, one which can be analyzed in polynomial time, as 
shown in Section [6]). 



Alexander Krauss, private communication. 
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4.5. Comparison to previous algorithms. As previously mentioned, there have already 
been termination analyzers that dealt with monotonicity constraints, but Codish et al. |12] 
pointed out that their decision procedures were not complete; they emphasized the case of 
integers (as was mentioned in the introduction), but the incompleteness already occurs in 
the well-founded model. In fact, those procedures are similar to Algorithm 14. 13| and using 
the terminology in this section we can present them so that the change in the new algorithm 
becomes clear. 

Definition 4.15. Let G be a cyclic MC. A cycle in G° is a zig-zag cycle if it alternates 
arcs of G with shortcut edges, the latter always in the backward direction (from x[ to Xj). 

Note that a zig-zag cycle alternates forward arcs of G (x — > y') with shortcut edges. 
This does not mean, however, that other arcs in the MC are ignored, because they might 
give rise to forward arcs by transitivity. 

Definition 4.16. We say that G passes Sagiv's Test if G has a zig-zag descending cycle. 

Clearly, this test is a special case of the LTT, and it should be easy to see that they 
conincide for SCT graphs. The reader probably sees, already, why this test is incomplete. 
In fact. Figure [3] shows a terminating instance that it misses. 

Sagiv's test is from [3l] and was used in the Termilog system as described in [27], and 
the Terminweb system as described in [13]. Later, in [T7], the algorithm was refined by 
observing that it suffices to test idempotent elements. This improves its coverage (consider 
the cyclic MC: x > y A x' < y') but it is still incomplete, by the same example. 

It should be noted, that this comparison is based on a "translation" of the cited works 
to MCS terms. They actually analyze logic programs. As for the algorithm proposed in |12j . 
the discussion is postponed to the next section where it fits more naturally. 

5. Fully Elaborated Systems and Stability 

In this section we describe a procedure that while increasing the size of an abstract 
program, simplifies its termination proof; in fact, we get back to the SCT condition. This 
result is interesting theoretically, for understanding the relation between the two formalisms, 
and also forms a basis for the algorithm in the following section (that determines termination 
while constructing an explicit ranking function). 

The procedure duplicates flow-points while refining their invariants; this means that 
computations that reach the same program location under different conditions (i.e., different 
ordering of the variable values) will be represented as reaching different flow-points in the 
abstract program. Similar transformations can be found in program analysis in various 
guises (for example, in [2^ and subsequent works, flow points are queries to Prolog clauses 
and are duplicated for different instantiation patterns). When we apply the transformation 
to monotonicity constraint systems in a brute-force way, we obtain what we shall call a fully 
elaborated system. We will see, in this section and the next, that fully elaborated systems 
are MC systems of a particularly structured kind. 

In order to express the correctness of a transformation on abstract programs we begin 
by defining "simulation." 
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5.1. Simulation. We define the notions of simulation and bisimulation for transition sys- 
tems of the kind used in this work. A transition system A simulates another one B if 
(informally speaking) they have the same transition sequences, up to the identity of flow 
points and the indexing of variables. 

Definition 5.1. Let A, B be transition systems, with flow-point sets F-^, F^ respectively, 
and both having states described by n variables over Val. We say that A simulates B if 
there is a relation </> C F^ x F-^ ("correspondence of flow-points") and, for all {f\g) € </>, 
a bijection ipgj : {1, . . . , n} -^ {1, . . . , n} ("variable renaming") such that for every (finite 
or infinite) state-transition sequence (/i,o"i) i-^ (/2;0"2) ^^ ifsi'^s) ^ ■■■ of B there is a 
corresponding sequence {gi,a'i) i-?- (5f2 5 0"2) '-^ (53) ^"3) '-^ ••• of .A with {fi,gi) € (p and 
a'- = ai o (V'gijJ- We say that A bisimulates B if, in addition, for every (finite or infinite) 
state-transition sequence {gi,a'i) t-^ {g2,cr2) f-^ {g3,(j'^) >-^ ■ ■ ■ of A there is a corresponding 
sequence {fi,(Ji) ^ (72,0-2) ^ (/a, 0-3) ^ ... oiB, also with {fi,gi) £ and a^ = (Tio{ipg^ji). 

Thus, A bisimulates B if they simulate each other via the same pair of mappings. 

Definition 5.2. We say that an abstract program A (bi-)simulates an abstract program B 
if 7^1 (bi-)simulates 7b, via mappings (j) and V', as above. 

We say that A simulates B deterministically if for every / G F and assignment a 
satisfying If there is a unique g G F-^^ with {f,g) G such that, letting a' = a o (tl^gj), 
assignment a' satisfies Ig. 

If A bisimulates B, and A simulates B deterministically, we say (for brevity) that A 
bisimulates B deterministically. 

Determinism means that the invariants of different A flow-points that simulate a given 
B flow-point have to be mutually exclusive. 

Observation 5.3. Suppose that S bisimulates T. Then S uniformly terminates if and only 
if T does. 



5.2. Elaboration. 

Definition 5.4 (full elaboration). An MCS A is fully elaborated if the following conditions 
hold: 

(1) Each state invariant fully specifies the relations among all variables. That is, for i,j < n, 
one of Xi = Xj, Xi < Xj or Xi > Xj is implied by If. 

(2) Each MC is closed under logical consequence. 

(3) No MC in A is unsatisfiable. 

Since the state invariant fully determines the relations among all variables, we can 
re-index the variables into sorted order, so that the invariant becomes 

^l{ = }^2{t}...{t}xn. (5.1) 

Of course, the re-indexing has to be incorporated also in MCs incident to this flow-point, but 
this is straight-forward to do. Indexing the variables in sorted order has some convenient 
consequences, such as the having the property: 

Definition 5.5. G has the downward closure property if for all k < j, Xi — >x'j G G entails 
Xi — >x'f^ G G; and Xj^>x'- G G entails Xi — >x'f^ G G for some > G {>,>}. 
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The number of possible orderings of n variables plays a role in the combinatorics of 
fully elaborated instances. Note that equalities are possible. Therefore, the number of 
orderings is not n!, but a slightly larger number called the nth ordered Bell number Bn- 
An easily proved upper bound is Bn < 2n"'~^ (consider two cases — no equalities, or at 
least one). For more details, in [351 Seq. A670]. We denote the set of these orderings by 
Belln, and assume that we fix some convenient representation so that "orderings" can be 
algorithmically manipulated (for example, a series of (in) equalities as in (j5.ip ). 

The algorithm of full elaboration follows almost immediately from the definitions. 

Algorithm 5.6. (full elaboration) Given an MCS B, this algorithm produces a fully- 
elaborated MCS A that bisimulates B. 

(1) For every / G F^ , generate flow-points /tt where vr ranges over Bell„. Define the variable 
renaming function V^/^J so that ipf^jii) is the ith variable in sorted order, according 
to TT. Thus, If^ will have exactly the form (|5.ip . 

(2) Next, for every MC G : f ^- g in B, and every pair fn,gzu, create a size-change graph 

Gvr.ro ■ f-K ^ gm aS folloWS: 

(a) For every arc x ^ y & G, include the corresponding arc in G^r.-roi according to the 
variable renaming used in the two A flow-points. 

(b) Complete G7r,ro by closure under consequences; unsatisfiable graphs (detected by 
the closure computation) are removed from the constructed system. 

Example 5.7. Let the system B consist of a single flow-point, say /, with If = true; and 
a single MC over two variables, 

G : xi > x'x A 2:2 > X2 A x'l > X2 . 

In A, we have B2 = 3 flow-points U, namely: /[xi<x2]' /[xi=x2]' /[xi>x2]- For readability, 
let us denote the variables in A by yi instead of Xj: then yi represents Xi in the flrst two 
flow-points, but in f[xi>x2]^ the indices are exchanged, to obtain an increasing order of value. 

Figure m shows three of the graphs Gt^^t^, flrst when initially constructed — ^just copying 
the arcs from G according to the variable renaming, then after adding the invariants If^ 
and If^, and flnally after closure under consequences. D 

Complexity. For an MCS B, let \B\ denote the number of abstract transitions (MCs) in B 
(without loss of generality, \B\ > \F^\). 

Lemma 5.8. Any MCS B with n variables at any point can be transformed into a fully- 
elaborated system A, deterministically bisimulating B, in 0{\B\n'^^^^) time and space. 

Proof. This follows from a straight-forward analysis of Algorithm 15. 6i Each MC G yields 
Bn = 0{n'^"'~'^) offsprings G-j^^^^, and the work invested in each is O(n^) (as explained in 
the last section). D 
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Figure 4: Full-elaboration example. Dashed arcs are non-strict. 



5.3. Stability. The main result of this section is a proof that MCS termination can be 
reduced to SCT termination, and that fully-elaborating the system achieves this. We begin 
by formalizing the significant property, enjoyed by fully-elaborated systems, which allows 
for the simplified termination proof: this property is called stability. 

Definition 5.9. An MCS A is stable if (1) all MCs in A are closed under logical conse- 
quence; (2) all MCs in A are satisfiable; (3) For all G : f ^ g in A, whenever G \- Xi\> Xj (a 
relation between source variables), that relation is included in If. (4) Similarly, if G h x'-l>x',, 
that relation is included in Ig. 

Note that just replacing every MC by its consequence-closure (if satisfiable) will satisfy 
conditions (1) and (2), but will not necessarily make the system stable, since it may fail to 
satisfy (3)-(4). In fact, these conditions may force flow-points to be duplicated, since two 
MCs coming out of / may disagree on the conditions that must be placed in If. 

Observation 5.10. A fully elaborated system is stable. 

Full elaboration can be seen as a brute- force way of "stabilizing" an MCS. A system 
can also be stabilized by an iterative fixed-point computation, which is likely to end up with 
less duplication of flow points and MCs. For completeness, such an algorithm is described 
in Section 15.51 But let us now flrst present the beneflts of stability. 

Lemma 5.11. In a stable MCS, every finite multipath is satisfiable. 

Proof. Let ^ be a stable MCS. Let M be a finite ^-multipath. For M to be unsatisfiable, 
it must include a descending cycle. We shall prove that if a descending cycle exists in M, 
then the shortest descending cycle must be contained in a single MC. But this would make 
the MC unsatisfiable, contradicting the assumption of stability. 

Suppose, to the contrary, that the shortest descending cycle spans more than one MC. 
Suppose that it spans MCs Ga, Ga+i, . . . , G^,. We can asume that it includes a source node 
of Ga, for otherwise Ga is unnecessary (by stability, an arc among target nodes of Ga also 
appears in Ga+i). So, there is a node v = x[a — l,i] on the cycle. The node that precedes 
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Figure 5: Three examples of walks from x[t,ij^] to x[t + l,ijj, J: in the first (topmost), t 
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as either t or t + 1 . 



1, or i + 2; in the second, only as t + 2; in the third. 



it on the cycle is a node of Ga, and so is the node that succeeds u. Since all three nodes lie 
in the same MC, which is consequence-closed, this two-arc path can be replaced by a single 
arc, deleting i' from the cycle. Thus, the presumed shortest cycle is not shortest. □ 

Theorem 5.12. A stable MCS is terminating if and only if it satisfies SCT. 

Proof. Let ^ be a stable MCS. If A satisfies SCT, it is terminating, since the SCT condition 
is a special case of the MCS termination criterion. For the converse direction, assume that 
A satisfies the MCS termination criterion; we will prove that it satisfies SCT. Let M be 
an infinite ^-multipath. We know that it has an infinitely descending walk. Lemma 15.111 
shows that it cannot be a cycle. Therefore, it extends to infinity. We shall prove that, under 
this assumption, there is an infinitely descending thread. 

The walk is made out of arcs x[tk.,ik\ — >■ x\tk+i,ik+i\ for A; = 0, 1, . . . For all t > to, 
let jt be the first occurrence of t in the sequence; note that this is well defined. The walk 
is broken into segments leading from x[t,ij^] to x[t + l,ijj^-^], of which infinitely many are 
descending. We claim that each of this segments can be replaced with a single arc, strict 
when appropriate. This implies that SCT is satisfied. 

As there is a walk from x[t, ij^] to x[t + 1, ij^^i], consider the shortest one (the shortest 
strict one, if appropriate). Suppose that it consists of more than one arc. Then there is a 
node x[t*,ij^t] occurring inside the segment (not at its ends) such that the node preceding 
it, x[t~,ij^_] and the node suceeding it, x[t^,ij^^] satisfy either t~,t~^ < t* or t~,t~^ > t* (it 
may take a little reflection to see that such a node must exist; see Figure [5]). Then consider 
the two arcs — from x[t^,ij _] to x[t*,ij^,] and from x[t*,ij^,] to x[t+,-ij ^]; they must both 
lie in the same MC, and by consequence closure, there is a single arc (strict if any of the 
two arcs is) to replace these two arcs. Thus, the presumed shortest walk is not shortest. 

We conclude that the shortest walk consists of a single arc, which is then a forward arc 
in the MC. We conclude that an infinitely descending thread exists in M, so that SCT is 
satisfied. D 



5.4. A decision algorithm. As an immediate corollary, we obtain a new algorithm to 
decide MCS termination. Namely, 



22 BEN-AMRAM 



Algorithm 5.13. (Deciding termination of an MCS A) 

(1) Stabilize the system (e.g., by fuU elaboration) 

(2) Apply an SCT decision algorithm. 

Note that since we are deciding SCT, we can ignore any "backward" arcs (x' — t- Xi), as 
well as the state invariants, in other words retain just SCT graphs. This observation may 
possibly be useful in optimizing an implementation. 

Another natural expectation is that it would be desirable in practice to avoid full 
elaboration when possible, using a more economic stabilization procedure. Such a procedure 
is described next. We will discuss the efficiency of Algorithm 15.131 afterwards. 

5.5. A more economic stabilization. Given an MCS B, the following algorithm com- 
putes a stable system A that bisimulates it. No variable renaming is used, so we only have 
to compute the set of flow-points and the mapping (j). 

Algorithm 5.14. Stabilization by flxed-point computation 

(1) Initialize the system A: flow-points in A will be uniquely identifled by a pair (/, /) 
where / is the corresponding B flow-point and / is a state invariant. Initially, for every 
/ € F^, we have (/, If) in A where If is the invariant from B. Set cj) to associate / 
with (/, If) and copy all MCs and invariants from B. 

(2) Replace all MCs with their closure under logical consequence; if an MC is unsatisfiable, 
delete it. 

(3) Repeat the following process until instructed to stop: 

(a) Search for an MC G : {f,If) — )• {g,Ig) which is not stable (checking for stability is 
a simple graph algorithm based on Lemma l4.4p . If no such MC is found, stop. 

(b) Since G is not stable, there is a relation, Xi \> Xj, such that G \- Xi> Xj, but Xi \> Xj 
is not in If (or a similar situation on the g side). 

(i) Suppose that the missing relation is Xi > Xj. Create two A flow-points to 
replace {f,If): (/, // A (xj > Xj)) and (/, // A (xj < Xj)). If any of these 
points is already in A, there is nothing more to do about it. For a point which 
is new, all MCs previously leading from and to {f,If) have to be copied to 
this new flow-point. Finally the old flow-point (/, //) is deleted, 
(ii) If the missing relation is Xi > Xj , the flow-points created will be (/, // A (xj > 
Xj)) and (/, // A (xj < Xj)). The rest is as above. 
It is not hard to see that the above loop will terminate. In fact, the number of A 
flow-points corresponding to a given B flow-point / is bounded (by Bn), so at some point 
the set of flow-points will stop growing, and then all size-change graphs must be stable. 
Note that this algorithm will not change an SCT instance; SCT instances are stable. 

5.6. Eflftciency of analysing an MCS by reduction to SCT. To analyse the efficiency 
of Algorithm [5431 we have to consider two questions. First, what is the cost of stabilization? 
The cost of full elaboration is 0{\B\'n?''^~^^), where B is the input system. Algorithm [543] may 
take less, and it seems reasonable to expect it to take less in many instances (where there 
are variables in the abstract program that are not related to each other). The worst-case, 
however, is to reach full elaboration. 

Then, an SCT decision procedure has to be applied. What SCT procedure? It is 
interesting to consider the closure-based algorithm [26j, the SCT version of Algorithm 14. 131 
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this is apparently the most popular SCT algorithm (as witnessed by, e.g., [371 [30l [18] ) . Let 
A be the stabilized system. Suppose that it has m flow-points. Its closure set can reach 
(at the worst case) a size of approximately m^3" , as there are S"' possible size-change 
graphs for a given pair of flow-points. The complexity of the algorithm is thus bounded by 
m^3" < (S„)^3" times some low-order polynomial, so, succinctly, it is 2®^" '. 

Surprisingly, the worst-case complexity drops if we assume that the MCS has been fully 
elaborated (at first sight the wasteful choice). In fact, fixing a pair of flow-points, there 
are less than n^" different graphs between them that have the downward closure property 
(Page [THl) . This property is preserved by composition, so the closure computed in deciding 
SCT will be bounded by m?"n?'^ , where m < Bn = 2n"~^, so the total complexity will 
be 2'^('^^°S"). Thus, full elaboration improves the asymptotic worst-case complexity of the 
closure algorithm. However, as the next section will show, if we have a fully-elaborated 
system, there is actually a polynomial-time algorithm that decides termination (and more); 
this is because the SCT instance obtained is of a special structure. Hence, there is no need 
to do anything as costly as a closure computation. 



5.7. The Codish-Lagoon-Stuckey Algorithm. The decision algorithm suggested by [H] 
is to first compute the closure set of a given MCS, and then, to every cyclic MC, apply "bal- 
ancing" which is similar to our stabilization but on a local basis. After balancing, the cyclic 
graphs are tested, as for SCT. Thus, the algorithm is very similar to Algorithm I4.13t the 
LTT is replaced by the balancing procedure followed by Sagiv's test (which as in SCT takes 
a simpler form for idempotent graphs). 

Clearly, this test must be equivalent to the LTT in its results; its complexity may differ, 
though grosso modo they are similar — both are low-order polynomial in the size of the MC. 

Codish, Lagoon and Stuckey do not prove completeness of their analysis with respect to 
termination of the original system, but to termination of each tested graph as a singleton; 
however this gap is not hard to bridge. Thus, we have at our disposal three slightly different 
algorithms for deciding MCS termination (four, when the results of the next section are 
taken into account); but it may suffice to take only two home: one closure-based algorithm 
(I propose Algorithm 14. 13p . and one based on full-elaboration (and the continuation to be 
given in the next section). The first has a higher worst-case complexity, ?7i-^2®'" ' versus 
j^220(niogn). Y)^^ j^ YiQg, a lower best-case complexity, which may be useful in practice. 
Moreover, its upper bound drops to rn?2®^^^"^^' for a useful class of SCT instances, fan-in 
free graphs pL8j. 

A clarification may be due regarding the assumptions made on Val. Section \2 . 21 includes 
the statement "all notions and results in this paper work equally well with partial orders, 
and even partial quasi-orders." Full elaboration, as well as the "economic" stabilization, 
assume that the order is total; for any u,v G Val, one oi x < y, x = y and x > y must 
hold. However, by Lemma 13.61 it is possible to extend a given partial order to a total one. 
While this extension is not necessarily constructive, this does not matter: it suffices to 
imagine that such an extension is being used in order to explain the algorithm. After all, 
the termination condition does not really depend on the semantic domain, since it can be 
stated in pure graph terms (Section [3Tj. 

The results of the following section are an exception: if we ask, not only for decision 
regarding termination, but for a ranking function, the order on Val must really be total, 
since the ranking function descends in an order derived from it. 
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6. Constructing a Global Ranking Function 

This section describes a ranking-function construction for monotonicity constraint sys- 
tems. At the heart of the construction is an algorithm that constructs a ranking function, if 
possible, for a fully-elaborated system. It does so in polynomial time, which highlights the 
fact that fully-elaborated systems are a special class of SCT instances. They are also special 
in that their global ranking functions are particularly simple — a tuple of elements (constants 
or variables) is associated with each flow-point, and these descend lexicographically in each 
and every transition. 

The rest of this section is organized as follows. The first subsection presents tools that 
are used in exposing the structure of a fully-elaborated system. The second employs them 
to construct ranking functions. The third puts together the result for general monotonicity 
constraint systems. 

6.1. Thread preservers and freezers. In preparation for the analysis of fully elaborated 
systems, we define complete threads, thread preservers and freezers and prove some essential 
properties. Note: when notions of connectivity are applied to an MCS (for example, "^ is 
strongly connected"), they actually concern the underlying control-flow graph. 

Definition 6.1 (complete thread). A thread in a given multipath is complete if it starts at 
the beginning of the multipath, and is as long as the multipath. 

Lemma 6.2. // a strongly connected MCS satisfies SCT, every finite multipath includes a 
complete thread. 

Proof. Assume that SCT is satisfied by the given MCS; then every infinite multipath con- 
tains an infinite thread. Let M be any finite multipath, beginning and ending at the same 
flow-point. Consider M", i.e., the concatenation of infinitely many copies of M. From an 
infinite thread in M^ one can clearly "cut out" a complete thread in one of the copies of M. 
Thus, every finite multipath that begins and ends at the same flow-point has a complete 
thread. A multipath M' that does not end at the point of departure can be extended to 
a multipath that does, since we assumed strong connectivity of the MCS. Thus, it has a 
complete thread. D 

Definition 6.3 (thread preserver). Given MCS A, a mapping P : F'^ -^ ^({li • • • i^}) is 
called a thread preserver of A if for every G : f ^^ g in A, it holds that whenever i € P{f), 
there is j £ P{g) such that Xj— t-x'- G G. 

It is easy to see that the set of thread preservers of A is closed under union. Hence, 
there is a unique maximal thread preserver, which we denote by MTP(^). Given a standard 
representation of A, MTP(^) can be found in linear time (for details see [7]). 

Definition 6.4. A variable Xi is called thread-safe at flow-point / if every finite ^-multipath, 
starting at /, includes a complete thread from Xj. 

Lemma 6.5. Let A be a fully- elaborated, strongly connected, terminating constraint system. 
For every f , let S{f) be the set of indices of variables that are thread-safe at f . Then S{f) 
is not empty for any f G F'^ and S is a thread preserver. 

Proof. Let M be any finite ^-multipath starting at /. Observe that since A satisfies SCT 
and is strongly connected, there must be a complete thread in M, say starting at Xj. But 
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then Xn can also start a thread (note the downward-closure of fully-elaborated MCs). It 
follows that n € S{f). 

We now aim to show that 5 is a thread preserver. Let i £ S{f), and let G : f ^- g. 
Every finite multipath M beginning with G has a complete thread that begins with an arc 
from Xi, say Xi — >■ x'- . Let J be the set of all such indices jm, and k = max J. Then 
Xi — > x^ is an arc of G, because k £ J; and by the downward-closure property one can see 
that every M has a complete thread beginning with the arc Xj — >• x^. Hence, k € S{g) and 
the proof is complete. D 

Informally, with a fully elaborated system, we are assured by this lemma that non- 
empty thread preservers exist. The next lemma shows that given any thread preserver we 
can find, within it, a singleton thread preserver. This comes very close to identifying a 
ranking function (or at least a quasi-ranking function, defined in the next subsection). 

Lemma 6.6. Let A be a fully- elaborated, terminating MCS, and S a thread preserver, where 
S{f) 7^ for all f. For every f G F-^, let if = min5(/). Then P{f) = {if} is a thread 
preserver. In other words, every MC G : f ^ g includes Xj^ — )• x^ . 

Proof. By the definition of a thread-preserver, G must have an arc from Xj, — > x'- with 
j G S{g); so by downward-closure, G includes Xi^ -^ x\ . D 

Definition 6.7 (freezer). Let G : F -^ {1, . . . , n} denote a choice of one variable for each 
flow-point. Such G is called a freezer for A if for every G £ A., GV- xc(f) = ^'ctn)- 

Informally, a freezer is a singleton thread-preserver where the values are "frozen" since 
all the arcs represent equality. 

Lemma 6.8. Let A be a stable MCS that satisfies SCT, and has a freezer C . If for every 
f , variable X(jtf\ is ignored, SCT will still be satisfied. 

Proof. Let M be an infinite multipath of A] by the SCT property, M has an infinitely 
descending thread r. Observe that C induces an infinite thread ?9 in M, consisting entirely 
of no-change arcs. We claim that •& can have at most finitely many intersections with 
r. To prove it, assume the contrary. Then there must be a strict arc in r between two 
intersections. That is, the nodes at the intersections are connected by a descending path 
(via r) and by a no-change path (via 9), which is a contradiction, making this part of M 
unsatisfiable. But, according to Lemma I5.1H this cannot happen. It follows that M has 
an infinitely descending thread (namely r, minus some finite prefix) that avoids the frozen 
variables. Since this holds for any infinite multipath, SCT is satisfied with these variables 
omitted. D 



6.2. Ranking functions for fully-elaborated systems. From this point on, fix A to be 

a fully-elaborated system. 

Provided that it terminates, a ranking function will be constructed. To precisely specify 
the form of this function, we define vectors (definition from [8j, but simplified). 

Definition 6.9 (vectors). Let n > represent the number of variables in a program under 
consideration, and let -B > be some integer. V^ is the set of tuples v = {vi,V2,...) of 
even length, where every even position is a variable among {xi, . . . ,x„}, such that every 
variable appears at most once; and every odd position is an integer between and B. 
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Definition 6.10. The value of v G V in program state (/, a), denoted vcr, is obtained by 
substituting the values of variables according to a. This results in a tuple with elements 
of Val and integers in even and odd positions, respectively. Such tuples are compared 
lexicographically. 

The functions we construct have a simple form: to each flow-point / a vector vj is 
associated so that pifiCf) = vjo". Thus, for every transition (/, a) >->■ {g,a'), we shall have 
vja >- Vga' , where >~ is the strict lexicographic order. 

The construction is incremental. To justify the incremental construction, we define 
quasi ranking functions and residual transition systems. 

Definition 6.11. Let T be a transition system with state space St. A quasi-ranking 
function for T is a function p : St ^ W, where TV is a well-founded set, such that p{s) > 
p{s') for every (s, s') G T. 

The residual transition system relative to p, denoted T/p, includes all (and only) the 
transitions of T which do not decrease p. 

Note that when Lemma 16.61 applies, it provides a quasi-ranking function: p{f, a) = 
{xij)a. 

The next couple of lemmas are quite trivial but we spell them out because they clarify 
how a ranking function may be constructed incrementally. We consider the codomain of all 
our functions to consist of lexicographically-ordered tuples over "scalars" (a scalar is either 
a constant or a variable) and we use the notation v ++ u for concatenation of tuples. 

Lemma 6.12. Assume that p is a quasi-ranking function for T , and p' a ranking function 
for T/p; then p ++ p' is a ranking function for T. 

Lemma 6.13. Assume that the CFG of A consists of a set Ci, . . . ,Ck of mutually discon- 
nected components (that is, there is no arc from Ci to Cj with i ^ j). If for every i, pi is 
a ranking function for A restricted to Ci, then UiPi is a ranking function for A. 

Lemma 6.14. Suppose that the CFG of A consists of several strongly connected components 
(SCCs). Let Ci, . . . ,Ck be a reverse topological ordering of the components. Define a 
function p{s) for s = {f,cr) as the index i of the component Ci including f. Then p is a 
quasi-ranking function (with co-domain [1, k]) and it is strictly decreasing on every transition 
represented by an inter- component arc. 

The following algorithm puts all of this together. Note: a CFG whose arc set is empty 
is called vacant. A strongly connected component whose arc set is empty is called trivial 
(it may have connections to other components). 

Algorithm 6.15. (ranking function construction for A) 

The algorithm assumes that A is fully elaborated. If A terminates, a ranking function 
will be returned. Otherwise, the algorithm will fail. 

We assume that the representation of A allows for "hiding" certain variables of any 
given flow point. This affects subsequent MTP computations, which will ignore the hidden 
variables. 
(1) List the SCCs of ^ in reverse-topological order. For each / G F-^, let kj be the position 

of the sec of /. Form A' by deleting all the inter-component transitions. If A' is vacant, 

return p where p{f,cr) = Hf. 
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(2) For each SCC C, compute the MTP, using the algorithm in ^. If empty, report failure 
and exit. 

(3) For every /, let Xj, be the lowest MTP variable of /. 

(4) For every graph G:f^-g,ifit includes Xj^. — > x[ , delete the graph from A'; otherwise, 
retain the graph but hide Xj^ . 

(5) For every /, let p{f,a) = {Kf,Xij)a. 

(6) If A! is now vacant, return p. Otherwise, compute a ranking function p' recursively for 
A' , and return p++ p'. 



Correctness. We claim that the abstract program A' ^ passed to the recursive call, always 
represents the residual transition system Ta/ P- This should be clear when we delete graphs 
that strictly decrease p. The less-trivial point is the treatment of graphs G where the MTP 
arc Xij -^ Xjg is non-strict (Step [4]). To obtain the residual system precisely we should have 
replaced the inequality constraints with equalities: Xj^ = x[ . However, having done so, the 
set of indices C(/) = if becomes a freezer, and therefore can be ignored (Lemma I6.8p . 

Hiding the "frozen" variables ensures that these variables will not be used again in p' . 
So in the final tuple p{f,a) ++ p'{f,a), each variable will occur at most once. This shows, 
in particular, that the recursion always terminates, which means that the residual transition 
system is eventually vacant, and when this happens, we have a ranking function. 

Complexity. The algorithm will make at most n passes in which two elements are added to 
the tuple. The costly part of a pass is the MTP computation which takes time linear in the 
sum of sizes of all the MC graphs, that is, |^|n^ (recall that \A\ is the number of MCs). In 
subsequent passes, the system is diminished, so an upper bound on the total running time 

isO{\A\n^). 

6.3. Ranking functions for all! So far, we have constructed ranking functions for fully- 
elaborated systems. To construct a ranking function for a general MCS B, we first transform 
it into a fully-elaborated A using Algorithm 15.61 Then, Algorithm 16. 151 can be applied. The 
ranking function for A can be translated to one for B, as the next lemma shows. 

Lemma 6.16. If A simulates B deterministically, any ranking function for A can be trans- 
formed into a ranking function for B. 

Proof. Let p be the A ranking function. The B ranking function is defined for state (/, a) as 
p{g,a') where g is the unique point such that {f,g) £ (j) and a' \= Ig, where a' = ao{ipgj). D 

When A is fully elaborated, we have a function p where p{g, a) is a fixed vector v^ for 
every g G F'^; thus the resulting B ranking function has the form 



^9M°'Pg,f) 


if a o ^gj ^ Ig^ 


^g2i<^°%j) 


if CT O i^gj ^ ig^ 



where gi, . . . ,gt are the A flow-points associated with B flow-point /. 

This function may be simplified by combining rows that have the same vector as the 
function's value, so we do not have to list B^ rows. One example of such a function appears 
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Figure 6: MCs for ranking function example. There is a single flow-point. 



in the introduction (conclusion of Example I2.3p . For another example, consider the MCs 
depicted in Figure [H A ranking function of the form we consider is 

(1,2:1, 1,X3) if a;i > X2 

(1,X2, 1,X4) if Xi < X2. 

(obviously, the 1-valued entries can be dropped). 



p(xi,X2,X3,X4) 



Theorem 6.17. Let B he a terminating MCS, with m flow-points and n variables per point. 
There is a ranking function p for B where p(/, o") is defined by a set of elements of V"^ "- , 
each one associated with certain inequalities on variables, which define the region where the 
given vector is the function value. There are at most Bn different vectors for any flow-point. 



The complexity of constructing p is 0{\B\ 



■ n 



2n+l 



)• 



Proof. Fully-elaborating B takes 0{\B\n'^^~^^) time and creates a system with 0(|jB|n^" ^ 
MCs. The running time of Algorithm 16.151 on the result is 0(|^|n^) = 0{\B\n'^^~^^). 



D 



Remarks. This is the first algorithm to construct explicit ranking functions for any ter- 
minating MCS, but even when restricting attention to SCT instances, the results improve 
upon previous publications. The improvement over [8] is that any positive instance can be 
handled; the improvement over |25j is that in that work, the vectors were possibly doubly 
exponential in length (as a function of n) and the complexity of the construction was only 
bounded by a triply exponential function. 

The complexity of our construction is optimal (or very nearly so) in two senses. 

• [1] considers ranking functions of the form described above, and shows that there are 
SCT instances with n variables that require (n — 1)! distinct vectors per flow-point. Our 
construction yields the close upper bound B^. 

• In a vector, each variable appears at most once. This is clearly optimal since they may all 
be involved in the termination proof. This also means that the codomain of the ranking 
functions has the smallest necessary ordinal (in general). 

Finally let us remark that since the processing of a fully-elaborated system is polynomial- 
time, it is advantageous to use it rather than applying any general SCT decision procedure, 
even if all we want is a yes- no answer. 



7. Rooted Versus Uniform Termination 

In this paper, the notion of termination used was uniform termination, which means 
that there must be no cycles in the whole state space of the modelled transition system. 
Practically, it may be desireable to account for rooted termination, when only computation 
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paths beginning at a given initial point /o (and satisfying its state invariant) are considered, 
thus avoiding some false alarms. 

In this paper, uniform termination was chosen in favor of simplicity. However, It is not 
be difficult to adapt our methods to rooted termination; |26j shows how to do that for SCT. 



8. Conclusion and Research Questions 

We studied the MCS abstraction, an appealing extension of the Size-Change Termi- 
nation framework, showing how several elements of the theory of SCT can be achieved in 
the stronger framework: sound and complete termination criteria, closure-based algorithms 
based on local termination tests, and the construction of glocal ranking functions (which 
improves on previously-published work even for SCT). A key technique was refining the ab- 
straction, using state invariants to separate out the behaviour under different assumptions 
on the relative order of variables. We showed that MCS termination can be simplified in 
this way not only to SCT termination, but to an easy case thereof. 

The contribution of this paper is theoretical; hopefully, it will trigger further research, 
moving towards the practical application of the theory. 

The algorithms in this article were aimed at simplicity of presentation and analysis 
and can certainly be improved. If the purpose is just to decide termination (and possibly 
produce a non-terminating multipath if one exists), there is a choice between a closure- 
based algorithm (Section H]) and an algorithm based on full elaboration (Section [6]) . While 
theoretically, full elaboration reduces the exponent in the worst-case time from G(n^) to 
Q{nlogn), avoiding it may well be more efficient in practice. The intriguing effectiveness 
of the (theoretically worst) closure-based algorithms was discussed, in the context of SCT, 
by Fogarty and Vardi [18j . 

Algorithm 16.151 has been implemented in Java, but so far has only been tried out 
with toy examples, so it is too early to speak of an empirical evaluation. As expected, 
memory fills up quickly when the number of variables is enlarged. It seems clear that 
in a practical implementation, both for deciding termination and for constructing ranking 
functions, avoiding unnecessary combinatorial explosion is imperative. Some tactics that 
should probably be used include an initial analysis to identify the subset of variables that are 
pertinent to termination [3l[29|, and — obviously — handling one SCC of the original system 
at a time, instead of fully-elaborating all at once. Furthermore, we may choose to resort to 
heuristics that sacrifice completeness for efficiency. In the context of SCT analysis, some 
heuristics have been studied [HI [TJ [6], and similar approaches can conceivably be useful 
with MCS. 

A possible extension of this work is modeling arbitrary Boolean combinations of order 
constraints (including disjunctions) in a direct way (rather than by converting to disjunctive 
normal form, as discussed in Section 12. ip . It may be interesting to find out if this has 
practical interest. 

Finally, perhaps the most appealing aspect of MCS, compared to the SCT abstraction, 
is its usefulness in the integer domain. Adapting the theory of monotonicity constraint 
termination to the integer domain is to be the subject of a forthcoming paper. 
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